Reduce the permissions on CRDs and Validating / Mutating webhooks

[kfox1111]

We started looking into deploying: metallb v0.13.6.

It has permissions to edit all crds on the cluster as well as all validating/mutating webhooks on the cluster.

This is a lot of permissions on a long running service that could really damage the cluster badly.

It should be possible to use a resourceNames section (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources) on the roles to restrict the access just to the things the controller actually needs to edit.

[kfox1111]

Also, I don't think you probably need create/delete/list permissions for those too. getting rid of those would simplify the implementation too.

[fedepaol]

oh, TIL! Yeah, if we can restrict the permissions to specific names that's the right thing to do I guess. I did not know it was an option.